Jump to content

Recommended Posts

Hi

i have a problem here. What i have is a ticket support system and i am stuck.

Well what i want is to stop people from changing the id to view other tickets eg ticket.php?id=7 to ticket.php?id=1

 

<?php

$username = $_SESSION['username'];
$id = $_GET['id'];

if($_GET['id'] == "$id") {

  	$query = ("SELECT * FROM `Replys` WHERE `ticket` = '$id'");
$result = mysql_query($query);
$numResults = mysql_num_rows($result);					
while($row = mysql_fetch_array($result)) {

$ticketID = $row['ticketID'];
$problem = $row['message'];
$time_replied = $row['time'];
$status = $row['status_code'];
$by = $row['by'];
$submiter = $row['submiter'];

if ($status == 1) {
    $stats = "This ticket is still <font color=00FF00><strong>Open</strong></font>";
} elseif ($status == 2) {
    $stats = "This ticket has been <font color=FF6600><strong>forwarded to the admin</strong></font>";
} elseif ($status == 3) {
    $stats = "This ticket has been <font color=FF0000><strong>closed</strong></font>";
} else {
    $stats = "<font color=FF0000><strong>Error/Deleted</strong></font>";
}
?>
<a href="SupportDesk.php">Return to Support</a><br /><br />
<table width="550" cellpadding="5" cellspacing="0" bordercolor="#FFFFFF">
  <tr>
    <td width="75" bgcolor="#FFFFFF"><div align="center"><i><a href=profile.php?user=<?php echo $by ?> target="_blank"><?php echo $by ?></a></i><br>
            <img src="Images/support/mod.gif" width="50" height="50"><br>
            <i><?php echo $time_replied ?></i></div></td>
    <td width="475" valign="top" bgcolor="#FFFFFF"><div align="left"><font size="2.75" color="black"><?php echo $problem ?><br />
              <br /></font><font size="2.75"><?php echo $stats ?> by <?php echo $by; ?></font></div></td>
  </tr>
</table>
  <br /><br />
<?php
$i++;
}
} else {
print "This is not your ticket!";
}
?>

Link to comment
https://forums.phpfreaks.com/topic/186055-support-ticket-system/
Share on other sites

Only way is to require a login or use POST but they can still manipulate post data

 

I use sessions i check if the user is loggedin then they are shown this page

 

i also tried this mysql query, but only the person who submitted it could see

 <?php
$query = ("SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'");
?>

you want to prevent them from viewing other people's tickets, or just their own?

 

and this line does nothing:

 

$id = $_GET['id'];

if($_GET['id'] == "$id") { //the same as checking if 1=1, or elephant=elephant, or false=false, etc;

 

i want to prevent them from viewing other people's tickets

Just create a permissions table and have one of the options be if they are allowed to view other peoples tickets, it be a 1 if not, then a 0.  Go into the ticket.php file and throw in some php to validate if they have permission or not based on the permissions table.

Just create a permissions table and have one of the options be if they are allowed to view other peoples tickets, it be a 1 if not, then a 0.  Go into the ticket.php file and throw in some php to validate if they have permission or not based on the permissions table.

 

i sort of get what you mean about the permissions

what was wrong with your query?

 

$query = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

this is the track you must take.  it's how you allow certain users to view certain content.

 

you said, "but only the person who submitted it could see" .. isn't that the point?

what was wrong with your query?

 

$query = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

this is the track you must take.  it's how you allow certain users to view certain content.

 

you said, "but only the person who submitted it could see" .. isn't that the point?

 

Yes but i want moderators and only moderators to look at the tickets and answer them

its a help desk/support system

what was wrong with your query?

 

$query = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

this is the track you must take.  it's how you allow certain users to view certain content.

 

you said, "but only the person who submitted it could see" .. isn't that the point?

 

Yes but i want moderators and only moderators to look at the tickets and answer them

its a help desk/support system

 

i understand what it is as your title says it all.  however, it's just now that you are starting to shed some more light on the usage of this system.  why is that?  the more people have to guess, the longer it will take for you to be helped. 

 

to clarify your issue.  you want only moderators and the respective user to be able to view a certain ticket.

 

for example, John creates a ticket.  the ticket is #347.  now you want only John AND any moderator to be able to view ticket #347, correct?

 

simple, create a permissions table to moderators with an option being whether they can view tickets or not (`view_tickets` = 1 or 0 in db permissions table), and follow the same condition within the sql query as you already have, except now you'll add the permissions to the mix.

I keep having to quote myself...

 

You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket.

The user has to be an administrator or the person who created the ticket.

 

You obviously already have some way of distinguishing a moderator from a user. I think you should be able to figure out the logic here, but everyone always wants me to do it for them. (No I wont do it for you, unless you pay me.)

I keep having to quote myself...

 

You can't prevent data from being manipulated, you can only validate it. So the only good way to do it is by requiring them to either be an admin or the user who submitted the ticket.

The user has to be an administrator or the person who created the ticket.

 

You obviously already have some way of distinguishing a moderator from a user. I think you should be able to figure out the logic here, but everyone always wants me to do it for them. (No I wont do it for you, unless you pay me.)

 

Pay you, would a packet of Skittles do :shrug:

i use this

if ($user[user_level]>="2") {

were 2 is moderators level

Oops, use OR:

if ((@mysql_num_rows(@mysql_query($sql)) > 0) || ($user[user_level]>="2")) {

 

Thanks i replaced the query with this. It all works now.

Except this;

Moderators are only shown the reply box and not the information about the ticket.

i have attached to picture's below

 

[attachment deleted by admin]

show your revised code.

 

Here it is

<?php
$username = $_SESSION['username'];
$id = $_GET['view'];

if (isset($_GET['view'])) {

$level = "SELECT * FROM `users` WHERE name = '$username'" or die(mysql_error());
$get = mysql_query($level) or die(mysql_error());
$user = mysql_fetch_array($get);

$sql = "SELECT * FROM `Replys` WHERE `ticketID` = '$id' AND `submiter` = '$username'";
if ((@mysql_num_rows(@mysql_query($sql)) > 0) || ($user[user_level]>="2")) {

$result = mysql_query($sql);

print "<a href=\"Support.php\">Return to Support</a><br /><br />";				

while($row = mysql_fetch_array($result)) {

$ticketID = $row['ticketID'];
$problem = $row['message'];
$time_replied = $row['time'];
$status = $row['status_code'];
$by = $row['by'];
$submiter = $row['submiter'];

if ($status == 1) {
    $stats = "This ticket is still <font color=\"00FF00\"><strong>Open</strong></font>";
} elseif ($status == 2) {
    $stats = "This ticket has been <font color=\"FF6600\"><strong>forwarded to the admin</strong></font>";
} elseif ($status == 3) {
    $stats = "This ticket has been <font color=\"FF0000\"><strong>closed</strong></font>";
} else {
    $stats = "<font color=\"FF0000\"><strong>Error/Deleted</strong></font>";
}
?>
<br />
<table width="550" cellpadding="5" cellspacing="0" bordercolor="#FFFFFF">
  <tr>
    <td width="75" bgcolor="#FFFFFF"><div align="center"><i><a href=../loggedin54782/profile.php?user=<?php echo $by ?> target="_blank"><?php echo $by ?></a></i><br>
            <img src="Images/support/mod.gif" width="50" height="50"><br>
            <i><?php echo $time_replied ?></i></div></td>
    <td width="475" valign="top" bgcolor="#FFFFFF"><div align="left"><font size="2.75" color="black"><?php echo $problem ?><br />
              <br /></font><font size="2.75"><?php echo $stats ?> by <?php echo $by; ?></font></div></td>
  </tr>
</table><br /><br />
<?php
$i++;
}
?>
  Add reply form below<br />
<form action="" method="post" name="addreply" id="addreply">
  <br />
  Reply below... Before forwarding to the admin(s) please ask the user for<br />
  more information regarding their ticket!<br />
<textarea name="message" id="message" cols="60" rows="5"></textarea>
<br /><br />
  <input type="submit" name="Close" id="Close" value="Reply + Close" />
  <input type="submit" name="Forward" id="Forward" value="Reply + Forward" />
  <input type="submit" name="Add-Reply" id="Add-Reply" value="Add Reply" />
</form>
<?php
}
} else {
print "This is not your ticket!";
}
?>

</body>
</html>

the query holding the message is not returning results as the moderators username is not attached to the user's ticket.

 

$sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

`submitter` does NOT equal 'moderator'.

the query holding the message is not returning results as the moderators username is not attached to the user's ticket.

 

$sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

`submitter` does NOT equal 'moderator'.

 

I have removed

.... `submitter` = '$username'

it works but

like before all users can view the ticket information :S

even if it is not your ticket you can still view it by changing tickets.php?view=(any ticket number here)

 

and thats what i want to stop others doing

the query holding the message is not returning results as the moderators username is not attached to the user's ticket.

 

$sql = "SELECT * FROM `Replys` WHERE `ticket` = '$id' AND `submitter` =  '$username'";

 

`submitter` does NOT equal 'moderator'.

 

I have removed

.... `submitter` = '$username'

it works but

like before all users can view the ticket information :S

even if it is not your ticket you can still view it by changing tickets.php?view=(any ticket number here)

 

and thats what i want to stop others doing

 

i know.

 

i was just letting you know that that's why your mod's weren't getting the desired information.

 

now you need to work it out where the mod's have global access to the users table.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.